The most recent makes part of a family of Rootkits. ZeroAccess as it is called, replaces Windows System files and installs kernel hooks in attempt to remain stealth. ZeroAccess utilizes an advances method for protecting itself and disabling any security tool trying to detect and remove it.

ZeroAccess is usually installed on a system by a malicious executable disguised as a cracking tool for popular applications. Once this dropper is executed, it will perform some actions like:

The rootkit will create a file with a random name in %SYSTEMROOT%\system32\config\<random> or c:\windows\prefetch\<random>. This file will be used to store a virtual encrypted file system, used by the rootkit to store its configuration files and other supporting files.

ZeroAccess will then patch a randomly chosen system driver file. The patched file will be used as the rootkit’s restart mechanism to load its malicious kernel component when the system boots.

The original system driver file is stored inside the virtual file system. The rootkit uses it to provide legitimate information for requests to access the original file information on disk such as md5, digital signature, including a file copy.

The malware will also create a tripwire device. This device is disguised as a normal file on disk, but whenever accessed, it will trigger the rootkit protection routine.

In older variants, the tripwire device used to be named like \\??\Global\systemroot\system32\svchost.exe.

In new variants, the tripwire device is installed in an Alternate Data Stream (ADS).

NOTE: An ADS is an NTFS structure that allows more than one data stream to be associated with a file.

The rootkit tripwire device ADS is usually installed as %SYSTEMROOT%\<randomnumbers>:<randomnumbers>.exe.

Example: \systemroot\3155945044:2870600771.exe

The malware then creates a service, and points its ImagePath to the tripwire device, to run it every time the system boots.

Whenever the tripwire file or the process in memory is accessed by a security tool, the rootkit kernel component will kill the process from the kernel.

In newer variants, besides killing the process, the rootkit component will also remove all NTFS permissions from the offending files. This action is an attempt to disable security related tools and components.

ZeroAccess also establish a network activity to reporting the installation and user activity to a remote server. Since the rootkit hides network connections from any tool running on the infected machine, system administrators may need to use external monitoring tools to check the network activity.

We are seeing ZeroAccess associated with other malware families, as FakeAlert and Katusha.

For more details of this threat and remediation steps, please read here.